04-04-2003 08:11 AM - edited 02-20-2020 10:40 PM
hello,
the scenario is this:
I have a user in my network that needs to connect to a VPN server in the Internet, his VPN uses l2tp/ipsec, he uses the windows 2000/XP VPN Client. There is a PIX 535 6.2(2) between the user and his VPN server.
the problem is that this user can't establish a connection with his VPN, he can reach his VPN server, but cannot negotiate a successfull login, the VPN client says: "Remote server timeout" when the user tries to authenticate.
The VPN Client Logs a successfull VPN connection as follows:
******************************************************************
Operating System : Windows NT 5.1 Service Pack 1
Dialer Version : 7.2.2600.1106
Connection Name : ITG Connection Manager for Smart Cards
All Users/Single User : All Users
Start Date/Time : 4/1/2003, 16:43:33
******************************************************************
Module Name, Time, Log ID, Log Item Name, Other Info
For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
******************************************************************
[cmdial32] 16:43:33 03 Pre-Init Event CallingProcess = C:\WINDOWS\System32\CMMON32.EXE
[cmdial32] 16:43:35 04 Pre-Connect Event ConnectionType = 1
[cmdial32] 16:43:35 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.
[cmdial32] 16:43:35 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM
[cmdial32] 16:44:09 07 Connect Event
[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = Run additional cred harvesting for NTLM only aware apps ActionPath = WSCRIPT.EXE. The program was launched successfully.
[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = Security Check after Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.
[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.
[cmdial32] 16:44:09 08 Custom Action Dll ActionType = Connect Actions Description = to determine your proxy server ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMSAMPLE.DLL ReturnValue = 0x0
[cmdial32] 16:44:09 08 Custom Action Dll ActionType = Connect Actions Description = to configure your IE proxy settings ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMPROXY.DLL ReturnValue = 0x0
[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.
[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = CM Version Checking ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\GETCM.EXE. The program was launched successfully.
[CMDL32] 16:44:26 26 Successful Phonebook download PhoneBookName = mscorppb RequestedPBVer = 73 PBServerUrl = cusredb11rad02
[CMDL32] 16:44:26 28 Phonebook successfully updated Type = No update required PhoneBookName = mscorppb OldPBVer = 73 NewPBVer = 73 PBServerUrl = cusredb11rad02
[CMDL32] 16:44:30 26 Successful Phonebook download PhoneBookName = Cisco RequestedPBVer = 73 PBServerUrl = cusredb11rad02
[CMDL32] 16:44:30 28 Phonebook successfully updated Type = No update required PhoneBookName = Cisco OldPBVer = 73 NewPBVer = 73 PBServerUrl = cusredb11rad02
[CMDL32] 16:44:36 27 Phonebook download failed ErrorCode = 204 PhoneBookName = MSROI PBServerUrl = phonebook.attglobal.net
[CMDL32] 16:44:37 27 Phonebook download failed ErrorCode = 204 PhoneBookName = MSPPP PBServerUrl = pbkMS.equant.com
[CMDL32] 16:44:48 27 Phonebook download failed ErrorCode = 502 PhoneBookName = UUpMSemp PBServerUrl = pbk.uudial.uu.net
[cmdial32] 17:01:15 12 Disconnect Event CallingProcess = C:\WINDOWS\explorer.exe
[CMMON32] 17:01:15 22 External Disconnect
[cmdial32] 17:01:15 08 Custom Action Dll ActionType = Disconnect Actions Description = to restore your previous IE proxy settings ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMPROXY.DLL ReturnValue = 0x0
[cmdial32] 17:01:15 09 Custom Action Exe ActionType = Disconnect Actions Description = Security Check after Disconnect ActionPath = WSCRIPT.EXE. The program was launched successfully.
[cmdial32] 17:01:15 09 Custom Action Exe ActionType = Disconnect Actions Description = Install Updated CM Profile ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\INSTCM.EXE. The program was launched successfully.
and the Log when trying to connect behind the PIX:
******************************************************************
Operating System : Windows NT 5.1 Service Pack 1
Dialer Version : 7.2.2600.1106
Connection Name : ITG Connection Manager for Smart Cards
All Users/Single User : All Users
Start Date/Time : 4/2/2003, 13:15:00
******************************************************************
Module Name, Time, Log ID, Log Item Name, Other Info
For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
******************************************************************
[cmdial32] 13:15:00 03 Pre-Init Event CallingProcess = C:\WINDOWS\explorer.exe
[cmdial32] 13:15:09 04 Pre-Connect Event ConnectionType = 1
[cmdial32] 13:15:09 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.
[cmdial32] 13:15:09 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM
[cmdial32] 13:15:37 19 On-Cancel Event
[cmdial32] 13:15:46 04 Pre-Connect Event ConnectionType = 1
[cmdial32] 13:15:46 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.
[cmdial32] 13:15:46 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM
[cmdial32] 13:16:29 20 On-Error Event ErrorCode = 721 ErrorSource = RAS
I have no access-lists in my PIX, and I use PAT.
Is there an additional configuration that I have to enter in the pix in order to permit this kind of traffic? Is it that I have to use NAT besides PAT? Do I need to permit trafic from the outside interface?
thank you in advance
04-05-2003 09:52 PM
Hi,
you need to make sure that:
1 - you have a static NAT for the PC on the PIX (PAT wont work)
2 - open up UDP 500, UDP 1701, and ESP traffic for client NATed address on the PIX.
Thx
Afaq
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide